Back to skill

Security audit

SQL Guard Copilot

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate SQL helper, but it asks for database access while its read-only safety claims are weakened by hidden-in-docs write bypasses and under-disclosed LLM schema sharing.

Review before installing. Use a dedicated read-only database account, avoid --allow-write and --no-lint unless you explicitly intend that authority, do not use ask mode with confidential schemas unless your policy allows sending schema metadata to the configured LLM provider, and keep any audit log path private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill exposes environment-variable handling, network use, and file-write capability in its documented workflow, but it does not declare any permissions or constraints for those capabilities. That mismatch weakens policy enforcement and user visibility: the skill can access credentials like SQL_DSN and OPENAI_API_KEY, contact databases or model endpoints, and write audit logs without an explicit permission boundary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The tool is advertised as providing safe read-only SQL execution, but the `query` command exposes `--allow-write`, which disables the only read-only guard before executing attacker- or user-supplied SQL. In an agent setting, this creates a direct path to destructive or state-changing database operations, contradicting the skill's stated safety model and increasing the chance that a caller or prompt injection causes writes.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The `ask` command can generate SQL from natural language and also accepts `--allow-write`, meaning a remote model's output can bypass the read-only guard and be executed directly. This is especially dangerous because the SQL is not authored directly by the user and may be influenced by ambiguous prompts or malicious instruction content, enabling unintended modification or destruction of data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The `ask` flow sends schema context and the user's natural-language question to an external API via `call_openai_chat`, creating outbound data disclosure that may include sensitive metadata about internal databases. In a SQL assistant, schema names, table names, and column names can themselves be confidential, so transmitting them off-box without explicit declaration and consent is a real security concern.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Describing the tool as 'Safe' and 'read-only' while also documenting a supported path to disable protections is a dangerous trust-boundary mismatch. In agent ecosystems, misleading safety claims can cause operators to grant broader access or invoke the tool in contexts where write capability and externalized risk would otherwise be rejected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The LLM-backed `ask` command transmits discovered schema and the user's request to a remote API, but the user-facing flow does not prominently warn that database metadata is leaving the local environment. This can expose sensitive business structure, tenant names, or regulated data hints, and the skill context makes that more dangerous because users may reasonably expect a local SQL helper rather than a cloud-connected assistant.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.